IDappcom Rules, PCAPS, Traffic Files & Library

IDappcom PCAPs (Packet CAPture)

Our packet captures (PCAP files) contain the stream of data packets that computers send to each other on a network to communicate. Idappcom can provide unencrypted PCAPs that contain examples of malicious actors exploiting vulnerabilities which can be used to trigger our security rules, as well as ordinary benign traffic for configuration testing purposes.

 

IDappcom Traffic Files
IDappcom provides our PCAP files in a proprietary encrypted file format, KAR, which prevents overzealous virus scanners from inspecting and deleting them. These files are replayed using our Traffic IQ Professional software, which can be used to determine the threat response of your corporate IDS and IPS (Intrusion Detection/Prevention Systems) as well as test and validate the configuration of your entire networking infrastructure.

 

IDappcom Security Rules
IDappcom's PCAPs have one or more associated SNORT signatures. These 'security rules' are written in the standard SNORT syntax, and are used to detect the vulnerability contained in the traffic file. Our rules can be provided as a text file, or contained in a Microsoft Access database, and can be loaded straight into a Snort compatible IDS and IPS system, requiring minimal additional configuration.

 

IDappcom Library
The complete IDappcom Library contains our full complement of PCAP/KAR files and SNORT security rules, and includes additional metadata describing each vulnerability. It can be made available as a Microsoft Access database, or via JSON API.

Why IDappcom Rules?

Our rules are built by a dedicated research team, who analyse exploits discovered in the wild to write custom Snort rules specially designed to identify and stop them. Targeting the vulnerability allows the exploit to be blocked regardless of where it is coming from and is an important step up from relying upon awkwardly large and rapidly changing IP block lists.

 

Accurate and appropriate Updates

Idappcom rules are researched by a dedicated team who prove the exploit exists, works and is in the wild, then they are published to select vendors to include in their device updates. We can assure you that not all rules are published by the vendors, mainly due to performance constraints, and not all vendors use our rules of course. So, to have complete peace of mind you need Idappcom rules management and our pen testing tools to reduce your risks.

The issue is defining and understanding the difference between actual exploits, and malware, versus blacklists. When you get that you can start to see the effectiveness of the rules against the usefulness of the blacklists. You need both, but you need to manage them both and not get into a numbers game.

Complete Intelligence

Our comprehensive library of current and historical exploit information (over 21,000 actual proven exploits), is constantly being updated. and is used by all the top IPS/NGFW vendors. Their feedback helps us to provide the very best intelligence and mitigation available.

Thorough Coverage

IDappcom includes protection against not just the exploitable vulnerabilities (as opposed to vulnerabilities that have no exploit!), but the many variants and morphing of those exploits making it a full-featured rule set. 

IDappcom Rules work on SNORT®, and many other IDS platforms. With IDappcom you get truly thorough and comprehensive coverage trusted by the top IPS/NGFW vendors in the world.

When comparing the Idappcom Snort ruleset with other prevention and detection options, you'll want to consider questions like:

  • Can today's malware morph into something else? How long will it remain a threat?

  • Are other vendors as comprehensive? Or do they provide volume for volume’s sake?

  • Does a ruleset protect mainly against malware to get 'impressive' numbers, or does it also cover the actual working exploits that are the real security concerns?

  • Is the ruleset based on industry standard SNORT, or is it a closed source proprietary format?

  • Does your ruleset detect 100% of the real exploits, or only 30% of them?

  • How do you know the ruleset really is detecting an exploit, does your supplier give you the choice of an industry leading pen testing tool and the actual PCAPs to test, tune and refine with?

  • Does your supplier give you a management tool to import rules from multiple sources, edit, copy, create, select according to your criteria validate and filter rules with duplicated functionality?

  • Does your supplier give you the tool to manage deployment for rules over multiple sensors?

 

When it comes to answering questions like these, IDappcom’s comprehensive ruleset, Traffic IQ Professional testing software, and Easy Rules Manager deployment suite is a winning combination, and the expert’s choice. Tests show that IDappcom’s ruleset increases the detection rate, over other popular rules, by 61%.